Analysis
-
max time kernel
113s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
28-03-2024 18:48
General
-
Target
2f777dad2191c26d1472b8e4c612fc1c372e810adc851fafa7601a819bda1c10.dll
-
Size
120KB
-
MD5
d5ade40fb3fe4bfedee0f76af1816bd9
-
SHA1
9d08f618fe80ec923576ebc774e1e6fd438ab785
-
SHA256
2f777dad2191c26d1472b8e4c612fc1c372e810adc851fafa7601a819bda1c10
-
SHA512
cbecfb09f4258d64580d6735d7fbd4ae6fec3127bc061737ed3dfc8751bcf080a6a44a4a5d93c34643d3edf1ee84c0a63ad14c26299c20ce962610326ba5b8b4
-
SSDEEP
3072:Jnm9qtiAfpKdBgZoUEC2onnIMAnCAgtVEr3DvzJAW:wqiAWUEClnnTQrUErv
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 28 IoCs
-
UPX dump on OEP (original entry point) 33 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2f777dad2191c26d1472b8e4c612fc1c372e810adc851fafa7601a819bda1c10.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2f777dad2191c26d1472b8e4c612fc1c372e810adc851fafa7601a819bda1c10.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57e985.exeC:\Users\Admin\AppData\Local\Temp\e57e985.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57f03c.exeC:\Users\Admin\AppData\Local\Temp\e57f03c.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e580134.exeC:\Users\Admin\AppData\Local\Temp\e580134.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e5801d0.exeC:\Users\Admin\AppData\Local\Temp\e5801d0.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ffc1a842e98,0x7ffc1a842ea4,0x7ffc1a842eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2240 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2296 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2560 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5264 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5580 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57e985.exeFilesize
97KB
MD5de0127a559d62dacdb9661e993e8b6d8
SHA102f9f4bea94bba2907744d8d14406c21d891f054
SHA256927eeaf443b9ac9ff4acc1165b9167fefdfa6181a35675ffc6435f0804238ac7
SHA51220cb05cd8413e5b7375fe6738e0784134bb3297c28059b5f43ed61af0d3ffab47722a69b5cb6e3a1328d0dd95dcb1526e0a346545a1372732e93dc4d6f5d85bc
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5ef2f0a713fd1fe494f5a19eb7b12f170
SHA156a519245115e081335583a92412f8a3ebd12143
SHA256d7df686279f3e57c93b0062d1ab65395cb698e60985080fa7b893a91ef6a6987
SHA512f184b6657e052a78d0d46cf7c9e2ca017f85d29adc7bf6905f587743dcb8b19136e59efe2abd87ab53641bada3030f7db3d5be1dc63c087433fe20a2cc598b21
-
memory/1724-65-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1724-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1724-66-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2368-50-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-71-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2368-6-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-53-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-10-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-19-0x0000000003D30000-0x0000000003D31000-memory.dmpFilesize
4KB
-
memory/2368-18-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-23-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/2368-101-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2368-29-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-30-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-31-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-32-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-52-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-33-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-35-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-36-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-82-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-93-0x0000000003520000-0x0000000003522000-memory.dmpFilesize
8KB
-
memory/2368-48-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-80-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-34-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-78-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-67-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-76-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-73-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-57-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-54-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-8-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2368-9-0x0000000000760000-0x000000000181A000-memory.dmpFilesize
16.7MB
-
memory/2896-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/2896-22-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2896-104-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2896-58-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4036-62-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4036-142-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/4036-63-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4036-68-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4036-45-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4036-106-0x0000000000B50000-0x0000000001C0A000-memory.dmpFilesize
16.7MB
-
memory/4036-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4456-11-0x00000000045F0000-0x00000000045F2000-memory.dmpFilesize
8KB
-
memory/4456-47-0x00000000045F0000-0x00000000045F2000-memory.dmpFilesize
8KB
-
memory/4456-15-0x00000000045F0000-0x00000000045F2000-memory.dmpFilesize
8KB
-
memory/4456-12-0x00000000045F0000-0x00000000045F2000-memory.dmpFilesize
8KB
-
memory/4456-13-0x0000000004720000-0x0000000004721000-memory.dmpFilesize
4KB
-
memory/4456-0-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB